ASA5505 vpn tunnel

Answered Question
Apr 30th, 2010

I have 2 asa5505's. I have created a site to site vpn tunnel using two local networks. (ex. 192.168.1.0 & 192.1689.2.0).

I then tried to make another set of local ip's (ex. 192.168.3.0 & 192.168.4.0) use the same tunnel group, same external endpoints. One set of ip's is for data and the other for ip phones. Vlan 1 is not being used, vlan 2 is inside interface, vlan 3 is outside interface, and vlan 4 is the 2nd interface named phones. The first data networks are working fine, but the phones ip data is not flowing. I can not ping the other side. I set vlan 4 to not foward to interface vlan 2 and set the security to 100 on both ends. These are two independent local networks that don't need to talk to each other. Is there a reason anyone can think of why this wouldn't work?

I have this problem too.
0 votes
Correct Answer by em6557 about 6 years 7 months ago

Change the following on the remote side

global (inside) 1 interface to global (outside) 1 interface. This will Pat the inside

hosts to the outside for internet access.

Correct Answer by Jennifer Halim about 6 years 7 months ago

Yes, "show crypto ipsec sa" will show you the statistics for each ACL line that you have configured for your crypto ACL. It will show how many packets have been encrypted and decrypted per ACL subnet pair.

Correct Answer by Jennifer Halim about 6 years 7 months ago

Depending on how the phone subnet is connected on the ASA.

If your phone subnet is connected on a separate interface on the ASA (for example: an interface that you have named "phones"), then you would need to create a new access-list and assign it to the "phones" interface.


Example:

access-list phones-nonat permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

nat (phones) 0 access-list phones-nonat

On the other hand, if the phone subnet is connected to the ASA via the inside interface, ie: phone subnet is routed via the inside interface of the ASA, then you only need to add the line to the existing ACL on the inside interface.

Example:

Currently the inside NAT statement says "nat (inside) 0 access-list 101", and all you need to add is another line to ACL 101 as follows:

access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

Here is a sample configuration with 2 internal interfaces (inside and dmz) for site-to-site vpn tunnel for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml

From the sample configuration, it is using the same ACL NoNAT for both inside and dmz interfaces. I would recommend that you create a different ACL for the NAT statement for each interface instead of using the same ACL on both interfaces.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jennifer Halim Fri, 04/30/2010 - 06:54

Do you mean you created another crypto map sequence for the second sets?

If you do, that is not correct as you are terminating on the same peer. You just have to add to the existing crypto ACL on both sides for the original vpn tunnel.

So if your first tunnel crypto ACL says:

access-list crypto-acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Just add another line that says:

access-list crypto-acl permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

and of course the mirror image crypto ACL on the peer ASA.

You would also need to add NAT exemption on that interface where the phone subnet is.

razorbakill Fri, 04/30/2010 - 07:35

Thanks for the reply,

Actually I created the first site to site with the vpn wizard and its works fine. I then created the second site to site with the wizard also and when it came to adding the gateway to gateway a box popuped up saying that the tunnel group already excisted and do you want to use it. I said yes. I then went on with the wizard and it completed. Below is the commands it added to the firewall:

!ASA
!Single Routed
!29-Apr-10_18.40.33
!Preview CLI Commands 

crypto isakmp enable phones
access-list phones_1_cryptomap line 1 extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound line 2 extended permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map phones_map 1 match address phones_1_cryptomap
crypto map phones_map 1 set  pfs group1
crypto map phones_map 1 set  peer  External IP
crypto map phones_map 1 set  transform-set  ESP-3DES-SHA
crypto map phones_map interface  phones

Does this seem correct?

Jennifer Halim Sat, 05/01/2010 - 00:52

No, that is not correct. If you use the wizard, it will create a brand new tunnel with the same peer end point. You can't configure 2 crypto map name and apply the same on the outside interface.

You would need to edit the existing crypto map, and add crypto ACL for the new subnets.

If you check the output of "show run crypto map", it would already have the existing tunnel configuration, and since the peer address is the same, just add another line to the existing crypto ACL, and remember to configure the mirror image ACL on the peer device.

razorbakill Sat, 05/01/2010 - 06:57

Very good, I understand now, thanks. One other question about nat.

I currently have 2 nat statements on one of the firewalls for nat as follows:

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

The other firewall has one as follows:

nat (inside) 0 access-list inside_nat0_outbound

Now, would I add a statement to the current access-list inside_nat0_outbound, then write a nat exception as follows:

nat (phones) 0 access-list inside_nat

Or should I write a new access-list such as access-list phones_nat0_outbound extended permit ip (ip info), then apply to a new nat statement such as:

nat (phones) 0 access-list phones_nat0_outbound, i'm a little confused on the number that follows the nat statement


or each nat statement needs to be in number order such as

nat (inside) 0

nat (inside) 1

nat (phones) 2

I thank you for you help and patience, I'm pretty good with routers and switches, but an admitted novice with firewalls

Correct Answer
Jennifer Halim Sat, 05/01/2010 - 18:29

Depending on how the phone subnet is connected on the ASA.

If your phone subnet is connected on a separate interface on the ASA (for example: an interface that you have named "phones"), then you would need to create a new access-list and assign it to the "phones" interface.


Example:

access-list phones-nonat permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

nat (phones) 0 access-list phones-nonat

On the other hand, if the phone subnet is connected to the ASA via the inside interface, ie: phone subnet is routed via the inside interface of the ASA, then you only need to add the line to the existing ACL on the inside interface.

Example:

Currently the inside NAT statement says "nat (inside) 0 access-list 101", and all you need to add is another line to ACL 101 as follows:

access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

Here is a sample configuration with 2 internal interfaces (inside and dmz) for site-to-site vpn tunnel for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml

From the sample configuration, it is using the same ACL NoNAT for both inside and dmz interfaces. I would recommend that you create a different ACL for the NAT statement for each interface instead of using the same ACL on both interfaces.

Hope that helps.

razorbakill Sun, 05/02/2010 - 17:56

Yes that definitely helps, Thank You.

You know I searched up and down the show commands but could not find one that would show me the local networks that are associated, or go accross a specific vpn tunnel. Wheather it's 1 network or 3 local networks. Do you know any commands that show them?

Jennifer Halim Sun, 05/02/2010 - 18:18

Are you trying to find out what local subnets have been configured on the ASA?

You can run "show run interface", and the output would show you what subnet/interface have been configured currently on the ASA.

You can also run "show route" to check if any specific local subnet has been routed through one of the interfaces.

razorbakill Sun, 05/02/2010 - 19:25

No, those I know. Say you have a single site to site ( or gateway to gateway) vpn tunnel through the internet. But you setup multiple local networks on each side to cross the single tunnel as we discussed in this thread. Is there a show command that would say that here is this one vpn tunnel and these are the permitted local (or private) networks that are configured to cross that one vpn tunnel? Maybe even the statistics, such as how much traffic is being sent and received through the vpn tunnel from each local network configured to use the vpn tunnel?

Correct Answer
Jennifer Halim Sun, 05/02/2010 - 19:35

Yes, "show crypto ipsec sa" will show you the statistics for each ACL line that you have configured for your crypto ACL. It will show how many packets have been encrypted and decrypted per ACL subnet pair.

razorbakill Mon, 05/10/2010 - 04:55

Hi again,

well finanlly went on site added those two lines of code, 1 to the excisting crypto map acl, and created a new nat0 phones acl. I was now able to pass traffic from the inside and phones interface down the one tunnel. The inside interface always worked, being able to rdp to other pc's, camera's running acrooss vpn, etc, tcp sessions. But, the phones network I can ping anything on the other side of vpn tunnel and thought all was good. The only thing is that it seems I can't open anything on the other side throught the phones interface, just ping. I can telnet to the level 3 switch on the other side through inside interface but NOT through the phones interface. It seems like I can''t do tcp sessions. I was under the impression these vpn tunnels should pass the traffic as trusted traffic as if it was inside and part of the whole network. Any idea's? I can post the config's from both asa5505's if needed.

Thanks again, you've been most helpfull.

Jennifer Halim Mon, 05/10/2010 - 04:59

Please post the config from both ASAs, and also advise the source and destination ip address of the traffic which is not working.

Thanks for the rating.

razorbakill Mon, 05/10/2010 - 07:28

Thanks Halijenn,

here are the configs edited to protect the inocent,lol. Also, I can't get out to the internet on the remote config. I mean I can or I wouldn't have a vpn tunnel. But, you can't browse the internet from a pc from the remote location on either network, only really need it on inside interface.  Any ideas on that too. At first I noticed no nat statement on the inside interface (nat 1 0.0.0.0 0.0.0.0) but I added this and still no browse.

The inside interface on both configs is passing traffic fine. (10.1.1.0 to 10.4.1.0)

The phones interface has connectivity, I can ping accross the vpn tunnel, but no other communication (tcp). The networks there are 10.1.5.0 to 10.4.5.0.

Thanks

Correct Answer
em6557 Mon, 05/10/2010 - 08:06

Change the following on the remote side

global (inside) 1 interface to global (outside) 1 interface. This will Pat the inside

hosts to the outside for internet access.

razorbakill Mon, 05/10/2010 - 19:28

Jeez, I don't know how I missed that. I need some time off,lol. Thanks em6557

Still not sure why I can't communicate on phones vlan1 interface, network 10.4.5.0 to 10.1.5.0, or vice versa through the vpn tunnel, only can ping through the vpn tunnel for those networks.

Inside interface and networks, 10.1.1.0 to 10.4.1.0, work fine.

Is it possibly the limitation of the basic license of the asa5505? Or are the configs correct and it should work???

Jennifer Halim Mon, 05/10/2010 - 20:33

Configuration looks correct on both sides of the ASA.

Can you please advise what ip address you are trying to ping from and to from the 10.1.5.0/24 and 10.4.5.0/24 subnets?

If you are trying to ping, please also add the following icmp inspection on both ASA:

policy-map global_policy
class inspection_default

     inspect icmp

After you ping from the phones subnet, please kindly grab the output of:

show crypto ipsec sa

yuvami251168 Tue, 05/11/2010 - 18:09

Hi, I have the same problem with two cisco asa5505.

I already have a VPN working between siteA and siteB. Now the customer ask me to connect the IP PBX together, the I created a VLAN 10 at both sides.

At site A 172.18.100.0 and at site B 172.18.101.0, I created the ACL for that address under the ACL of the data, only I adde the line but is not working,

when I tried to ping from the site B when I am at the config terminal at the ASA, and I pingto the eth port of the remote site I didn't received response. Is the same problem at the both directions.

Attachment: 
ksilvaoplk Tue, 05/11/2010 - 20:50

Hi  Yuri, sorry packet-tracert command is as follows, misplace  the sequence numbers:

packet-tracer  input VoIP icmp 172.18.100.1 2 2 172.18.101.1 detail

ksilvaoplk Tue, 05/11/2010 - 19:19

Hello Yuri, sorry for my English.

I see only two problems with the site A:

This access-list:

access-list outside_nat0_outbound extended permit ip interface VoIP 172.18.101.0 255.255.255.0

This allows only the traffic from the interface and not from the voice device.

2) why you placed the Nat0 here "nat (outside) 0 access-list outside_nat0_outbound"

the Nat0 should go only to the VoIP interface.

On the site B see everything properly configured in the A should be of the form:


access-list outside_nat0_outbound extended permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0
nat (VoIP) 0 access-list outside_nat0_outbound

access-list outside_100_cryptomap extended permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0 (is good)

These lines are not applied in any place:

access-list nonatVoIP extended permit ip host 192.168.8.133 10.0.5.0 255.255.255.0
access-list nonatVoIP extended permit ip host 192.168.8.133 host 10.0.5.7
access-list nonatVoIP extended permit ip any 192.168.8.0 255.255.255.0

You can try the command

packet-tracer input VoIP icmp 172.18.100.1 0 0 172.18.101.1 detail

and place the results here?

I hope to be of help to you.

ksilvaoplk Wed, 05/12/2010 - 17:37

Hello Yuri, a suggestion  that those conducting the tests. The ping must do so from  an internal device, to make ping "eppacurie (config) # ping  172.18.101.100" the ASA sends the IP packet with the source IP of the  OUTSIDE interface and no response the other site. The suggestion is: Put a  laptop in the VoIP segment with a valid IP 172.18.100.X and leaves a  permanent ping: ping 172.18.100.X -t . Then go to the ASA and  the command "show crypto ipsec sa" you should see if there is "match" in  traffic, for example:


SITE A:

show crypto ipsec sa
interface: outside
    Crypto map tag: VPNMAP, seq num: 36, local addr: 200.44.188.130

      access-list outside_100_cryptomap permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0 
      local ident (addr/mask/prot/port): (172.18.100.0 255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.18.101.0/255.255.255.0/0/0)
      current_peer: 12.132.144.202

      #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10 (These  are the packages that you send from your laptop)
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9    (These  are the packages you receive from a remote network)
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 10 , #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 66.194.160.10, remote crypto endpt.: 12.132.144.202

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 77F9B42B (This is  different according to your connection)

At the  other ASA should see more or less the same, but if you must display  packets encrypted and decrypted. More or less the  same amount on both sides

INSIDE  interface usually does not answer PING, I suggest you put a PC or laptop  on one side and the other to test the ping between the devices, for  example:

LAPTOP in eppacurie with IP  172.18.100.10 Pinging the laptop with the IP 172.18.101.10 Northeast. Remember to disable the firewall of the two devices during  the test.

please send to me:

show crypto ipsec sa (both device)

show crypto isa sa (both device)

the packet-tracer in the site A is good, traffic  passing through all stages before being sent.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
             
Phase: 4     
Type: IP-OPTIONS
Subtype:     
Result: ALLOW
             
Phase: 5     
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
             
Phase: 6     
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
             
Phase: 7     
Type: NAT-EXEMPT
Subtype:     
Result: ALLOW
             
Phase: 8     
Type: NAT    
Subtype:     
Result: ALLOW

Phase: 9     
Type: NAT    
Subtype: host-limits
Result: ALLOW

Phase: 10    
Type: HOST-LIMIT
Subtype:     
Result: ALLOW
   
Phase: 11    
Type: VPN    
Subtype: encrypt
Result: ALLOW

Phase: 12    
Type: FLOW-CREATION
Subtype:     
Result: ALLOW

Module information for reverse flow ...
             
Phase: 13    
Type: FLOW-LOOKUP
Subtype:     
Result: ALLOW
 
             
Module information for reverse flow ...
             
Result:      
input-interface: VoIP
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Have  you worked with the CAPTURE command? can  configure them to see that the traffic is sent and received normally.

This line not be  placed in this interface (SITE A)

nat (outside) 0 access-list outside_nat0_outbound

ksilvaoplk Thu, 05/13/2010 - 11:04

Hello,  Yuri.

With this catch we can see  that the problem is in the site B:

Northeast# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 12.132.144.202

      access-list outside_20_cryptomap permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.18.101.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.18.100.0/255.255.255.0/0/0)
      current_peer: 66.194.160.10

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0     
      #pkts decaps: 32, #pkts decrypt: 32, #pkts verify: 32

      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

The PC  of the site B is not answering the ping or ASA is not encrypting . The reasons would be:

1 - The PC  has an active firewall or antivirus blocking the PING.
2 - The gateway PC is not the ASA.

Let's  Put a capture:

access-list capture-out permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0

access-list capture-out permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0

capture inside access-list capture-out interface VoIP circular-buffer

In the capture you should  see the package in and out. Please send to me the  capture you see there.

yuvami251168 Thu, 05/13/2010 - 11:38

o.k then you need the capture only on siteB?

and when I gaive the instruction of capture the ASA will gfenerate a file...or is going to display the information on the screen...if is a file how can I get it ?

ksilvaoplk Thu, 05/13/2010 - 11:56

Oh Sorry Yuri, yes the capture is only in the ASA site B, To see the capture is  with the command:

show capture inside

inside is the name of capture. Then  you will see the processes that effected this package. Only  on site B because the packet enters the ASA but gets no response from  the PC, as shown in the catch that I sent you.

ksilvaoplk Thu, 05/13/2010 - 21:23

Good Morning Yuri,

Does  this command to place it in this way?

global (VoIP) 1 interface   (Before  testing I suggest you remove)

the  capture shows that packets enter the ASA but ...

  1: 19:51:39.446067 802.1Q vlan#10 P0 172.18.100.41 > 172.18.101.41: icmp: echo request
   2: 19:51:44.946652 802.1Q vlan#10 P0 172.18.100.41 > 172.18.101.41: icmp: echo request
   3: 19:51:50.439628 802.1Q vlan#10 P0 172.18.100.41 > 172.18.101.41: icmp: echo request

no  response. incoming  packets are icmp: echo request but the  PC or laptop to which you do the ping is not responding. The  Package you should see is:

19:51:39.446067 802.1Q vlan#10 P0 172.18.101.41 > 172.18.100.41:  icmp: echo reply

The  packages are coming to the ASA, leaving the correct VLAN interface: 1: 19:51:39.446067 802.1Q vlan#10

do the  following tests and send me the results:

1) ping to the PC from  the ASA, as follows

ASA# ping 172.18.101.41 (must be  answered)

2) in the PC:

C:\ tracert 172.18.101.41

C:\ ping 172.18.101.41

3) in the PC:

C:\ route print

ksilvaoplk Fri, 05/14/2010 - 21:47

Hi, Yuri. I saw the tests. In your capture I saw you

computer has two default routes, what is the reason
this?.

Please make the following tests:

1) from computer

    C:\\ tracert 172.18.100.41

2) active the capture:

   access-list capture-out permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0

   access-list capture-out permit ip 172.18.100.0 255.255.255.0 172.18.101.0 255.255.255.0

   capture inside access-list capture-out interface VoIP circular-buffer

   from computer C:\\ ping 172.18.100.41 -t

   In the ASA see the capture: "show capture inside"

    should see the incoming packets to ASA as follows:

    1: 19:51:39.446067 802.1Q vlan#10 P0 172.18.101.41 > 172.18.100.41: icmp: echo request

  3)  C:\\  tracert  200.44.32.12

ksilvaoplk Tue, 05/18/2010 - 10:57

good morning Yuri,

the tracert was to  the IP 172.18.100.41.


The capture dont shows any outgoing packets from the IP of your PC, these packages are not  arriving at ASA, could you please verify the PC?

All verifications that we have done, indicate that ASA is well.

please try the  following,

place the following  command on the PC cmd:

C:\\ route add  172.18.100.41 mask 255 255 255 255  172.18.101.1

C:\\ tracert 172.18.100.41

in the ASA:

asa# clear capture inside

asa# show capture inside

you must see the packets from your PC in the capture.

please send me the results.

best regards.

yuvami251168 Wed, 05/19/2010 - 13:01

I went again to do the tests and I cancel my wireless connection and

only connected the ethernet port of my laptop with the IP 172.18.101.41

I can not ping to to the ip of the telephone system at the main site at

Mesa 172.18.100.1, and put the instruction

C:
tracert 200.44.32.12 but I don't received nothing, here is teh screen of my laptop.

From the ASA ,I can ping to my laptop, no problem.

And the asa don't show packets at the capture....

ksilvaoplk Wed, 05/19/2010 - 17:01

Hi Yuri,

Thanks for your patience in making all the tests.

If possible, please send me the latest configuration
ASA (Northeast). I'm going to attach as it should be
configuration to compare it.

Have you tested with another PC?
Have you tested on another port on the ASA?

from the 172.18.101.X  the network should be able to browse the Internet, as well as you set:

global (outside) 1 interface

nat (VoIP) 0 access-list nonatVoIP

nat (VoIP) 1 0.0.0.0 0.0.0.0

please send me the packet tracert from ASA again.

ksilvaoplk Wed, 06/02/2010 - 08:39

good morning, could you solve the problem?. What ASA IOS version you have?

Is the current configuration is this?

INTERFACE:

interface Vlan10

no forward interface Vlan1

nameif VoIP

security-level 100

ip address 172.18.101.100 255.255.255.0

VPN:

access-list outside_20_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0

access-list nonatVoIP extended permit ip 172.18.101.0 255.255.255.0 172.18.100.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 66.194.160.10

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group 66.194.160.10 type ipsec-l2l

tunnel-group 66.194.160.10 ipsec-attributes

pre-shared-key *

NAT Y NONAT:

global (outside) 1 interface

nat (VoIP) 0 access-list nonatVoIP nonatVoIP

nat (VoIP) 1 172.18.101.0 255.255.255.0

ACL:

access-list VoIP-in permit ip 172.18.101.0 255.255.255.0 any

access-group VoIP-in in interface VoIP

yuvami251168 Wed, 05/12/2010 - 15:55

Hi, I made the changes but still I can not ping to the remote site....Also I tried to ping to the remote data netwrok and I don't have response.

Here is teh current configuration of the site A (mesa), and the packet tracer, site B no changes and added the packet tracer.

razorbakill Wed, 05/12/2010 - 06:46

I was onsite at the remote location with a laptop on the 10.4.5.0 network. I just gave my laptop an ip in this range and was able to ping devices at the other end of the vpn tunnel on the 10.1.5.0 network(10.1.5.6, 10.1.5.7, etc).

These 2 networks are used for just the ip based phone system. The only devices that will be on these networks will be anything associated with the phone system, ip phones, pbx, etc.

I'll be onsite tomorrow but here are the outputs of the to asa's with the sh crypto ipsec sa command.

If you can think of anything else before I go onsite please let me know.

Thanks

Halijenn,

Do these lines from the sh crypto ipec sa show that the traffic going through the tunnel is unrestricted? In particular the zero's for the protocol and ports that are in bold? Does that represent ANY protocol, ANY port?

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.4.1.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (10.4.5.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.5.0/255.255.255.0/0/0)

em6557 Tue, 05/11/2010 - 06:58

Can you post the config of the switchport that connected to the HQ ASA for Phones network. According to your config it is port 38 3550 switch on vlan 5 for ip phone to remote.

razorbakill Wed, 05/12/2010 - 16:51

I currently don't have access to the 3550. I will see tomorrow if I can get access.

Actions

This Discussion